cert-manager · cert-manager-prow · Nov 7, 2025 · Nov 3, 2025 · inteon · Nov 3, 2025
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -4,10 +4,6 @@ linters:
   exclusions:
     generated: lax
     presets: [comments, common-false-positives, legacy, std-error-handling]
-    rules:
-      - linters:
-          - modernize
-        text: .*
     paths: [third_party, builtin$, examples$]
     warn-unused: true
   settings:

diff --git a/...arts/approver-policy/templates/crd-policy.cert-manager.io_certificaterequestpolicies.yaml b/...arts/approver-policy/templates/crd-policy.cert-manager.io_certificaterequestpolicies.yaml
@@ -1140,6 +1140,8 @@ spec:
                     - type
                   x-kubernetes-list-type: map
               type: object
+          required:
+            - spec
           type: object
       served: true
       storage: true

diff --git a/deploy/crds/policy.cert-manager.io_certificaterequestpolicies.yaml b/deploy/crds/policy.cert-manager.io_certificaterequestpolicies.yaml
@@ -1157,6 +1157,8 @@ spec:
                 - type
                 x-kubernetes-list-type: map
             type: object
+        required:
+        - spec
         type: object
     served: true
     storage: true

diff --git a/pkg/apis/policy/v1alpha1/types_certificaterequestpolicy.go b/pkg/apis/policy/v1alpha1/types_certificaterequestpolicy.go
@@ -37,19 +37,23 @@ var CertificateRequestPolicyKind = "CertificateRequestPolicy"
 // makes decisions on whether applicable CertificateRequests should be approved
 // or denied.
 type CertificateRequestPolicy struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
 
-	Spec   CertificateRequestPolicySpec   `json:"spec,omitempty"`
-	Status CertificateRequestPolicyStatus `json:"status,omitempty"`
+	Spec CertificateRequestPolicySpec `json:"spec"`
+	// +optional
+	Status CertificateRequestPolicyStatus `json:"status,omitzero"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // CertificateRequestPolicyList is a list of CertificateRequestPolicies.
 type CertificateRequestPolicyList struct {
 	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []CertificateRequestPolicy `json:"items"`
+	// +optional
+	metav1.ListMeta `json:"metadata"`
+
-
-
+	Items []CertificateRequestPolicy `json:"items"`
 }
 
 // CertificateRequestPolicySpec defines the desired state of

diff --git a/pkg/internal/approver/constraints/evaluator.go b/pkg/internal/approver/constraints/evaluator.go
@@ -108,7 +108,7 @@ func (c constraints) Evaluate(_ context.Context, policy *policyapi.CertificateRe
 
 // decodePublicKey will return the algorithm and size of the given public key.
 // If the public key cannot be decoded, an error is returned.
-func decodePublicKey(pub interface{}) (cmapi.PrivateKeyAlgorithm, int, error) {
+func decodePublicKey(pub any) (cmapi.PrivateKeyAlgorithm, int, error) {
 	switch pubKey := pub.(type) {
 	case *rsa.PublicKey:
 		return cmapi.RSAKeyAlgorithm, pubKey.N.BitLen(), nil

diff --git a/pkg/internal/approver/validation/serviceaccount.go b/pkg/internal/approver/validation/serviceaccount.go
@@ -41,11 +41,11 @@ func ServiceAccountLib() cel.EnvOption {
 }
 
 // ConvertToNative implements ref.Val.ConvertToNative.
-func (sa ServiceAccount) ConvertToNative(typeDesc reflect.Type) (interface{}, error) {
-	if reflect.TypeOf(sa).AssignableTo(typeDesc) {
+func (sa ServiceAccount) ConvertToNative(typeDesc reflect.Type) (any, error) {
+	if reflect.TypeFor[ServiceAccount]().AssignableTo(typeDesc) {
 		return sa, nil
 	}
-	if reflect.TypeOf("").AssignableTo(typeDesc) {
+	if reflect.TypeFor[string]().AssignableTo(typeDesc) {
 		return serviceaccount.MakeUsername(sa.Namespace, sa.Name), nil
 	}
 	return nil, fmt.Errorf("type conversion error from 'serviceaccount' to '%v'", typeDesc)
@@ -77,7 +77,7 @@ func (sa ServiceAccount) Type() ref.Type {
 }
 
 // Value implements ref.Val.Value.
-func (sa ServiceAccount) Value() interface{} {
+func (sa ServiceAccount) Value() any {
 	return sa
 }
 

diff --git a/pkg/internal/approver/validation/validator.go b/pkg/internal/approver/validation/validator.go
@@ -86,7 +86,7 @@ func (v *validator) Validate(value string, request cmapi.CertificateRequest) (bo
 		return false, errors.New("must compile first")
 	}
 
-	vars := map[string]interface{}{
+	vars := map[string]any{
 		varSelf: value,
 		varRequest: &CertificateRequest{
 			Name:      request.GetName(),

diff --git a/pkg/internal/webhook/validator.go b/pkg/internal/webhook/validator.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"sort"
 
 	"github.com/go-logr/logr"
@@ -75,15 +76,7 @@ func (v *validator) validate(ctx context.Context, obj runtime.Object) (admission
 	// Ensure no plugin has been defined which is not registered.
 	var unrecognisedNames []string
 	for name := range policy.Spec.Plugins {
-		var found bool
-		for _, known := range v.registeredPlugins {
-			if name == known {
-				found = true
-				break
-			}
-		}
-
-		if !found {
+		if !slices.Contains(v.registeredPlugins, name) {
 			unrecognisedNames = append(unrecognisedNames, name)
 		}
 	}